I hate being proven right – mass pwnage

Seriously. When will people (even security pros) ever learn? This is the IRC log between a few security pros who are involved in w00w00.org and BlackOps.org from an insanely long tour de force brag post that seemingly showed up folks from the big guns like Google, through security ISVs such Core Security through several security pros that I truly admire. I am not perfect, and honestly, I feel for these folks as it could happen to me, but weak passwords? OMG! Passwords seem to have cost one of them a great deal of money and time, irreversible data loss and now involvesd law enforcement (update – see comments, this log is from the 1990’s I’m so duh that I missed that bit, but it still proves my point that passwords have sucked for a long time):

  [14:41] <@rkl> shit.
  [14:41] <@rkl> whoever broke into blackops.org
  [14:41] <@rkl> when we caught them
  [14:41] <@rkl> they began rm filesystems
  [14:41] <@rkl> and removed my only copy of some photos i had of me and my
          fiance'
  [14:42] <@rkl> that i had up there for like 2 days while i reinstalled my OS
  [14:42] <@rkl> she's going to be sad about that
  [14:44] <@nobody> ur shitting me
  [14:44] <@nobody> who broke in?
  [14:44] <@rkl> we know.
  [14:44] <@rkl> luckily they were incompetent
  [14:44] <@rkl> however
  [14:44] <@nobody> bunch of savages in this town
  [14:44] <@rkl> because they tried to use blackops as a platform to launch
          attacks against a few corporations
  [14:44] <@rkl> now the FBI is involved
  [14:45] <@nobody> wonderful
  [14:45] <@rkl> me and murray couldnt' give a rat's ass
  [14:45] <@rkl> we back up blackops 1 time a month
  [14:45] <@rkl> to cd, now dvd
  [14:45] <@rkl> they got in through a weak user passwd
  [14:45] <@rkl> cause there were near 100 users
  [14:45] <@rkl> just normal users, so they didn't practice good security with their passwds
  [14:45] <@nobody> typical
  [14:46] <@rkl> we've had to turn over everything to the FBI
  [14:46] <@nobody> a system is only as secure as its users

In my previous post, my first item stated unequivocally that passwords are crap and first against the wall when the revolution comes? That revolution starts today.

Everyone’s New Year resolution has to be to change their crappy password (or in the rare case, passwords) for their computer to a passphrase (20 characters or more), install a password manager, and change all those crappy passwords into long (20 characters or more) random passwords for every single service. If your service doesn’t let you use > 20 character passwords, STOP USING IT. There’s something very dumb, wrong and insecure with that service.

I do not have a single password that is the same for any service on the Internet. Changing a password to me is extremely simple because I DO NOT CARE about any of them. I do not type them, I do not remember them. They are all at least 20 characters long, and occasionally way more if I care about the system in question.

Additionally, I have no truthful answers for the weak Q&A security backdoor on any system I use. What is your first pet’s name? Just try to crack fazEha*u@eJAM#!#6DafRatrAm6Q before the universe ends. p.s. I generated that one just for this blog entry. Don’t waste your time trying it out anywhere.

Passwords are insecure, always have been, always will be, and that goes double for the horrifically insecure Q&A backdoor that many sites insist upon who should (and most likely do) know better. Passwords are unsuitable even for this blog. Folks who say passwords are free or worse – “the norm” – are idiots and should be ignored whilst the rest of us get on with getting rid of them as Priority #1.

CALL TO ACTION!

If you are responsible for passwords on your site or service, the very first thing you must do when you get back to work is to call an urgent meeting with all stakeholders. The very first agenda item must be “We’re getting rid of passwords as of right now. How do we do that?” Don’t stop until you succeed. Your users will love you.

If you are a victim of passwords, you should ask “Why are we still using passwords? When will you get rid of them?”

Just Do it. Do It Now. I’m deadly serious.

Comments

10 responses to “I hate being proven right – mass pwnage”

  1. Kai Sellgren Avatar
    Kai Sellgren

    Last time I tried to use a long password on PayPal, they refused it saying the maximum number of characters is 16. I never understood why, but I hope it has changed since then.

  2. luciocamilo Avatar
    luciocamilo

    Please, suggest one password manager…

  3. rkl Avatar
    rkl

    While I support your point, I’d like to point out that log is circa late 90’s. Passwords are indeed from the devil.

  4. vanderaj Avatar

    I’m glad I used the word “seemingly” in there 🙂

  5. vanderaj Avatar

    I use KeePass X as it’s cross-platform and allows me to create and manage passwords safely and easily. If you’re a Mac user, 1Password is commercial and does a good job. I am not sure of native password managers for the PC, but KeePass 2.0 runs under .NET just fine.

  6. rkl Avatar
    rkl

    Don’t worry, “seems” many people have been fooled by this release. By my count each and everyone of these “dumps” is historical. There’s nothing current there. However, if you want to promote non-passwords, check out duosec.com (ironically, dugong (monkey.org)’s new company) the shit works.

  7. vanderaj Avatar

    Will check it out, thanks! 🙂

  8. AbiusX Avatar

    It is nice to know that many of the websites I come across these days, not even won’t allow 20 char long passwords (why do they care? after all its the hash they have to store not the password itself!) they won’t even allow mixture of chars and nums and special chars.

    I’ve been using KeepassX since I was 10 and I synch the database quite frequently, but the fact that many sites won’t allow usage of strong passwords is very boring.

  9. Big Red Avatar

    Trouble is dude, that *all* of my financial institutions stop at 8 chars. Now, admittedly, they require mixed case, mixed alpha-num, and at least one non-alphanum password, but I am not going to switch banks and credit unions… 🙂

  10. Robert Chapin Avatar
    Robert Chapin

    @Kai The strength of a website password actually comes from the storage and transport implementations. For example, a password hash or session key may be used instead of transmitting your password in the clear. If the session key is only 128 bits long, then a corresponding password longer than 16 chars is at best more complex than the actual session key, or at worst could be significantly less secure than some shorter password. PayPal might limit your input for that exact reason.

Leave a Reply

Your email address will not be published. Required fields are marked *